CVE-2026-3893

Awaiting Analysis

Published: 28 Apr 2026, 17:34

Last modified:28 Apr 2026, 17:34

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.4 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Apr 2026, 17:34

Published

Vulnerability first disclosed

Description

The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials.

CVSS Metrics

v3.1•CRITICAL•Score: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Techniques & Countermeasures

CWE-306•Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Affected Systems

carlson software•vasco-b gnss receiver
< 1.4.0

References (3)

https://www.carlsonsw.com/support-and-training/
https://www.cve.org/CVERecord?id=CVE-2026-3893
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json